The bugs were reported by Ian Ling on Full Disclosure, and apply to firmware used in the company's access points, client products, and backhaul systems.

The products' Web interface reveal device serial numbers, which another page in the same interface can be used to force a factory reset without authentication.

The web interface also leaks passwords: an attacker can use an unsanitized GET to download files as root, which ends up as more-or-less complete pwnage:

“This can be used to view unsalted, MD5-hashed administrator passwords, which can then be cracked, giving the attacker full admin access to the device’s web interface. This vulnerability can also be used to view the plaintext pre-shared key (PSK) for encrypted connections, or to view the device’s serial number (which leads to DoS).”

There are also bugs in the way the systems use the Mosquitto lightweight message broker. It also leaks the serial number (and therefore provides a DoS vector), but worse, it leaks enough information that an attacker could endlessly reset a target.

Since an attacker can stroll through systems without authentication, Ling was just filling in time waiting for a pizza delivery to dig out two privilege escalation vulnerabilities only available to authenticated users.

In the first, someone who's logged into the Web interface can pass commands to an unsanitized ping command and execute commands as root; and in the other, undocumented commands like Curl are also available from the Web interface, and can also execute as root.

The bugs apply to firmware versions below 2.2.3 and were patched in a mid-April release from Mimosa. ®